Biggest Phishing Breaches

Real incidents, verified costs, and attack methods. These are the breaches that changed how organisations think about phishing risk.

Combined Losses

$598.5M

Across 10 featured incidents

Most Common Vector

CEO Fraud

BEC responsible for $50B+ since 2013

Recovery Rate

~16%

Of BEC losses recovered (FBI IC3 2022)

Detailed Incident Analysis

Ubiquiti Networks

2015Whaling / CEO Fraud (BEC)

$46.7Mcritical

Attackers impersonated an executive and directed the finance team via email to make a series of wire transfers to fraudulent overseas accounts. The company recovered $8.1M through legal action, leaving a net loss of $38.6M.

Outcome: SEC investigation, $38.6M net loss, 4 arrests in Lithuania

Twitter

2020Vishing (phone social engineering)

$120M (est. market cap impact)critical

Teenage hackers called Twitter employees posing as internal IT support staff, convincing them to provide VPN credentials. 130 high-profile accounts were hijacked — including Barack Obama, Elon Musk, and Joe Biden — to run a Bitcoin scam that netted $120K directly, with massive reputational fallout.

Outcome: 130 accounts compromised, $120K in Bitcoin stolen, 3 arrests

RSA Security

2011Spear phishing (malicious Excel attachment)

$66M+ (estimated)critical

A spear phishing email sent to four RSA employees with subject '2011 Recruitment Plan' contained an Excel spreadsheet exploiting a Flash zero-day. The compromise exposed SecurID two-factor authentication seed values used by millions, including defence contractors Lockheed Martin and L-3.

Outcome: SecurID tokens replaced worldwide; RSA's parent EMC spent $66M+ on remediation

Sony Pictures

2014Spear phishing (Apple credential harvesting)

$100M+critical

Attackers sent Apple ID phishing emails to Sony executives. Once inside, they deployed destructive malware wiping 70% of Sony's servers and exfiltrating 100TB of data — including unreleased films, salaries, Social Security numbers, and executives' private emails.

Outcome: 100TB data stolen, 47,000 employees' PII exposed, CEO resignation

Google & Facebook

2013–2015Email phishing (fake invoices — BEC)

$100Mhigh

Lithuanian national Evaldas Rimasauskas created a fake company impersonating Quanta Computer, a real hardware vendor used by both Google and Facebook. Over two years, he sent fraudulent invoices totalling $100M. Both companies paid — and later recovered most funds through legal action.

Outcome: $49.7M recovered; Rimasauskas sentenced to 5 years

Crelan Bank (Belgium)

2016Whaling / CEO Fraud (BEC)

$75.8Mcritical

Cybercriminals compromised the email account of the CEO and used it to send payment instructions to finance staff. The fraud was discovered during an internal audit. The bank absorbed the full loss as the transfers were approved by authorised personnel.

Outcome: Full $75.8M loss absorbed; no criminal arrests reported

Twilio / Cloudflare (OKTAPUS)

2022Smishing (SMS phishing)

$65M+ (Twilio); reputationalhigh

Threat group 0ktapus sent SMS messages to employees of 130+ companies impersonating Okta IT support, directing them to a fake login page. Twilio, Cloudflare, DoorDash, and others were breached. 9,931 accounts at over 130 organisations were compromised.

Outcome: 130+ companies breached, 9,931 compromised accounts

Abnormal Security Customer (Healthcare)

2023Spear phishing (vendor impersonation)

$4.8Mhigh

A mid-size healthcare provider received convincing spear phishing emails impersonating a trusted medical equipment vendor. Finance staff approved payments totalling $4.8M before the fraud was detected. Classic vendor email compromise — representative of thousands of similar incidents annually.

Outcome: $4.8M lost; illustrative of average phishing attack cost (IBM: $4.76M avg)

Scoular Company

2014Whaling / CEO Fraud (BEC)

$17.2Mhigh

Grain trading company Scoular was defrauded when an employee received emails purportedly from the CEO and an external KPMG accountant instructing transfers to a Chinese bank account for a confidential acquisition. The employee completed 3 wire transfers before the fraud was discovered.

Outcome: $17.2M lost; no recovery; multiple similar BEC cases filed same year

Mattel

2015Whaling / CEO Fraud (BEC)

$3M (recovered)medium

A Mattel finance executive received an email from a fraudster impersonating the new CEO requesting a $3M payment to a Chinese vendor. The transfer was made. Mattel recovered the funds due to a rare coincidence — the fraud was discovered on a Chinese public holiday when the bank was still open.

Outcome: $3M recovered — one of the rare full-recovery BEC cases

Could your organisation be next?

Every organisation featured here thought they had adequate controls. Calculate your phishing risk exposure in 60 seconds.

Calculate My Risk →